Security systems have generally been developed for detecting and terminating unwanted activity. For example, unwanted activity has oftentimes been a result of unwanted processes (e.g. root kits, etc.). However, such security systems have generally exhibited various limitations in situations where the unwanted processes are hidden.
For example, unwanted processes are sometimes capable of hiding themselves within an operating system. Many times, an unwanted process hides by removing an EPROCESS structure associated with such unwanted process from an active process list of the operating system. Generally, such EPROCESS structures are utilized for managing (e.g. identifying, etc.) processes. Thus, the unwanted process may protect itself from being terminated via the active process list by removing the EPROCESS structure to which it is associated.
In particular, security systems sometimes utilize a ZwTerminateProcess function to terminate processes. Such function calls a PspProcessDelete function which adjusts pointers within the active process list for terminating the unwanted process. However, in situations where a hidden process removes the EPROCESS structure from the active process list, pointers within the active process list are not associated with the unwanted process. Thus, adjustment of the pointers may be incapable of terminating the unwanted process, and furthermore, the active process list may become corrupted.
Still yet, some unwanted processes are capable of modifying the pointers of an associated EPROCESS structure within the active process list. For example, the pointers may be modified to point to invalid addresses. Accordingly, an error within the operating system may occur when the ZwTerminateProcess function is executed for terminating such unwanted processes.
There is thus a need for addressing these and/or other issues associated with the prior art.